Next-Generation Firewalls Do More than Block Traffic

Tim Kridel is an independent analyst and freelance writer with years of experience in covering technology, telecommunications and more.

Students are tech-savvy. So are the people who want to exploit them and the schools they attend. Those are just two of the many reasons why school districts are increasingly upgrading their firewalls to next-generation platforms that do more than just block unauthorized traffic.

Case in point: In August 2015, Winona Area Public Schools wanted to consolidate multiple services onto a single platform, including web content filtering, encryption, VPN, application control, QoS, IPS and directory services integration. It did that by replacing an Astaro ASG 625 and the Sophos Enduser Protection Suite with Fortinet’s FortiGate 1000D.

“It is great having content filtering working within the same appliance,” says Kevin Flies, Winona’s information systems director. “It is much easier to determine why a particular site may or may not be working.”

Cutting Back on Complexity

Consolidation also reduced complexity that was a byproduct of having the server and firewall in separate buildings. For example, although both could be managed remotely, IT staff had to log in to multiple applications every time they made updates and other changes.

“With Fortinet, we can manage all of these resources from a single interface,” Flies says. “I think the simplest way to sum that up was ‘one OS, one interface, one system, one location.’ ”

Some districts upgrade to next- generation firewalls (NGFWs) around the time they start providing students with notebooks and tablets. That was the case at suburban Seattle’s Lake Washington School District, which deployed a Palo Alto Networks PA-5020 to enable deep packet inspection for identifying and thwarting file sharing.

“This rapid expansion of the devices on our network mandated more capacity at all levels and the ability to better deal with modern cybersecurity threats,” says Sally Askman, director of technology. “Furthermore, we were looking to minimize the number of devices (a separate firewall, URL filter and deep packet inspection device) while bringing high availability to our network core.”

Getting More Processing Power

By February 2015, Lake Washington needed even more core processing power to support skyrocketing sessions, so it upgraded to a pair of PA-5060s configured in an active-passive way for redundancy.

“This change allowed us to remove our Internet aggregation device, URL filter appliance and firewall, and consolidate them all into a single NGFW,” Askman says. Earlier this year, Lake Washington added Microsoft Direct Access, enabling the district to tunnel student devices back to its network to become URL filtered by the PA-5060. That allowed the district to retire its external filtering agents and appliance.

“Our students can get on any Internet connection, and we know that they have a barrier of protection with the NGFW for malware and inappropriate websites,” Askman says. “We now have excellent visibility in the traffic traversing our firewall through a single pane.”

Cyberthreats Averted

Districts that have upgraded to NGFWs say they provide insights and protections that traditional firewalls can’t deliver. But when comparing different vendors’ NGFWs, it’s important to scrutinize how user friendly all of those capabilities are. If they’re not, they’re less likely to be used, undermining security.

“Application control is a feature we did not use in our previous firewall, as it was cumbersome and convoluted,” Flies says. “Fortinet easily allows you to set priority levels on application categories.”

File sharing such as bit torrent and firewall-bypass software are two common vulnerabilities that NGFWs help stop via techniques such as deep packet inspection. They also can thwart malware that communicates with servers by blocking that traffic. “This could really help to narrow down the location of a malware breakout quickly if it were to occur, and mitigate the damage, as the malware is not able to send back to the hacker server,” Askman says.

Flexibility and Future Proofing

Because they’re software-defined and signature-based, NGFWs also give districts more flexibility and future proofing. For example, instead of just blocking ports, NGFWs can block specific application signatures, which change over time. That’s one major benefit that Hillsborough County Public Schools got when it deployed FortiGate. The Tampa, Fla., district also became better able to address changes in traffic types, such as those involving tablets, which have apps that aren’t running typical HTTP.

“Most of the traffic, even Google images, have started using secure connections — HTTPS — and we had a tough time getting that addressed because of the way Google handles it,” says Rick Laneau, executive officer for IT compliance. “With the new firewall, we started doing man in the middle.

Hillsborough also got deep visibility into what’s traversing each port. That turned up a few surprises.

“We actually block more than we originally thought we were blocking,” says Scott Gafner, IT manager for infrastructure and shared services. “Our traffic utilization went down because once we started blocking, we think the kids started dropping off and going to their own cellphones’ data plans.”

This visibility also enables districts to prove that a device wasn’t connected to its network when it accessed explicit content — key for ensuring compliance with the Children’s Internet Protection Act. That was the case recently when a parent called to complain about a student sharing offensive images on a cellphone, and the NGFW determined that the pictures were downloaded over cellular.

“It gets blamed on the school network, but we know it didn’t come from that,” Laneau says.

5 Tips for Getting the Most Bang for Your Buck

School districts are using next-generation firewalls for consolidation, content filtering and more.

NGFWs still perform the basic job of stateful packet inspection, but they also consolidate functions traditionally performed by point products.

That Swiss Army knife–approach makes it challenging for IT managers to know what capabilities to seek. Here are a few high-level suggestions from NGFW users.

1. Determine strategies and threats so they can guide shopping. “Know what you’re planning to block and have the policies before you buy the tools,” says Rick Laneau, executive officer for IT compliance at Hillsborough County Public Schools.

2. Look for flexibility. “Technology changes, and people’s conception of what’s allowed and needed also changes, so you don’t want to lock yourself into a rigid system,” says Scott Gafner, Hillsborough’s IT manager for infrastructure and shared services.

3. Check what peers are using. “We wanted to feel comfortable that the solution was performing as stated and was well-received in the K–12 market,” says Kevin Flies, information systems director at Winona Area Public Schools. “Gaining this valuable insight and recommendations from our colleagues in other K–12 or higher ed institutions in our area was an important factor.”

4. Calculate total cost of ownership to help determine what you can afford. “We felt strongly that the ability to consolidate multiple pieces of hardware and software into a single platform was the most cost-effective approach for us both in terms of deployment costs and future support costs,” Flies says.

5. Train staff so they can use all of the NGFW’s features — maximizing return on investment and effectiveness. “That’s key,” Laneau says. “Just having a tool turned on and sitting in a corner doesn’t do anybody any good.”